>The risk of being able to identify an individual starting with an IP
address listed in a black list is very small, and the impact very small,
>but the benefits from publishing them should be very clear.
Your discussion and the associated paper implies that the list
operator/security personnel are always right because they are protecting
the Internet. It implies their mission is more important than any other
issue that someone may have. "It should be very clear" implies that if
you have another opinion then there must be something wrong with you.
This is the attitude many of those involved in abuse have and I am
trying to point out that there are problems with such a position. It
gives people involved in abuse the idea that they don't have to answer
to anyone or abide by the same rules as everyone else.
If the list is run poorly the impact can be tremendous. Both Cisco and
Microsoft both currently run blacklists that generate all sorts of
complaints. They often won't tell people why they were put on the
lists. Even when they remove someone people report the staff is
arrogant and accusatory. They assume anyone on the list is guilty and
it up to them to prove otherwise. the complaints say sometimes they
don't remove false alarms for months. Another guy in Australia running
a blacklist used to demand "donations" to get removed and if he got into
an argument with someone he would add them to the list. (On top of that
he used to register for free DNS services and crash them by uploading
his blacklist). Many in abuse do not think twice about advising ISP's
to do deep packet inspection to find abuse and malware without ever
considering the ISP's marketing department will use the system for other
purposes. The people involved in privacy are the same way. They often
don't consider the security implications of keeping everything private.
No, I do not agree that ignoring or minimizing the privacy issues is
justified because of the benefits. The blacklists of today are much
like the early days of credit reporting when there were no clear rules
and people could not get mistakes fixes. The blacklist operators should
promote these protections to improve their products rather than looking
for excuses to avoid them.
Thank You